9 Cyber Insurance by Definition Protection against losses related to information security breaches, such as data theft/loss, business interruption caused by a computer malfunction or virus, and fines or lost income because of system downtime and/or network intrusion 9

10 Investigating Cyber Insurance Risk Management is the responsibility of our Department of Administrative Services State CIO participating on review process to insure at the enterprise level Georgia Board of Regents has already insured the university system 10

14 No Substitute for Security Cyber insurance does not cover all information security risks Weak security may make coverage too expensive or impossible to obtain Coverage could be disincentive to strengthening security if considered a safety net 14

16 Challenges for States Limited data about public sector use Federated models Underwriting complicated by incongruent security postures and exposures across agencies Varying statutes 47 states have breach laws Georgia requires higher standard of response for breaches of less than 50K records than for larger ones 16

17 Challenges for States Role of sovereign immunity Premiums, deductibles may be cost-prohibitive Self insurance by states 17

20 What is a Data Breach? Data breach is a term of art and the precise definition depends on the applicable state and federal law(s). Data breach notification laws exist in 46 states, the District of Columbia, Puerto Rico, and the Virgin Islands. Trigger is based on individual s state of residence. Federal sector-specific laws (e.g., HIPAA/HITECH for healthcare and FERPA for student records) may also present separate breach reporting obligations, and apply to types of personal information not explicitly covered by the Montana statute. In Montana, a breach is the unauthorized acquisition of personal information that is reasonably believed to have caused loss or injury. 20

21 Personal Information Under Montana Law First name or first initial and last name of an individual in combination with any one or more of the following data elements when the name and the data elements are not encrypted: Social security number or tax identification number; Driver s license number, state identification number or similar identification number issued by an state, district or territory; An account number or credit or debit card number in combination with any required security code, access code, or password that would permit access to a person s financial account. Personal information does not include public information lawfully made available from federal, state, local, or tribal government records. 21

22 When an Incident Becomes a Data Breach in Montana Under Montana law, data breach means the: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by a state agency or by a third party on behalf of a state agency and causes or is reasonably believed to cause loss or injury to a person. Mont. Code Anno., (1). Risk of Harm reporting threshold: What materially compromises the security, confidentiality, or integrity of personal information is open to interpretation. AG guidance in other states. 22

25 Cyber Incident Response Process Step One: Notify Response Team Use the term incident instead of breach as a point of reference in all communications. Notify your agency s internal incident response team (i.e. agency head, IT manager, risk manager, attorney, etc.). Notify the cyber insurance brokerage firm and cyber insurance carrier. Follow the instructions found at the Risk Management & Tort Defense Division s (RMTD) website at Call us within 24 hours at (406) Have the immediate supervisor complete the Report of Incident and send it to us within two days. Do not contact individuals whose information may have been released. Do not contact law enforcement or regulatory authorities (that will be done by the insurance carrier attorneys). 25

26 Cyber Incident Response Process Step Two: Escalate as Necessary Internal investigation and reporting of incident to the State s cyber liability insurance carrier; Privacy counsel (attorney-client privilege and work product protections); Computer forensics expert; Public relations and crisis management consultant; Mailing/notification vendor (is your agency equipped to print and mail 5,000 notification letters? How about 50,000? 500,000?); Timing is everything: Notification (to the affected individuals) must be made without unreasonable delay, consistent with the legitimate needs of law enforcement or with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Mont. Code Anno., (1)(b) Fixed deadlines in other states 26

29 DPHHS Message to Public/Press Regrettably, a DPHHS server was hacked. We apologize that this happened and want to provide you with more information and the steps we are taking to protect our clients and staff who had information on the affected server. What happened? On May 22, 2014, outside forensic experts confirmed that hackers gained entry to a Department of Public Health and Human Services (DPHHS) computer server, though there is no evidence that information on the server was used inappropriately or even accessed. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate. Based on our investigation, we believe the hackers first gained entry in July of The information on the server may have included names, addresses, dates of birth, Social Security numbers and limited clinical information. This incident should not impact MT DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information. When did it happen? On May 22, 2014 outside forensic experts confirmed that a DPHHS server had been hacked. DPHHS took immediate action on May 15 when it first detected suspicious activity by shutting down the server, contacting law enforcement and bringing in outside experts to help investigate. 29

30 DPHHS Message to Public/Press (cont.) How did this happen? Unknown computer hackers used malware to gain entry to a DPHHS server containing client and agency employee personal information. Have those affected clients been notified? At this time, DPHHS is in the process of notifying all those people with information on the server. What type of security is in place on the server? We are continuously working to improve security of our computer networks and are committed to protecting client information. We deeply regret any inconvenience to you as a result of this incident. To help prevent something like this from happening in the future, we have taken the affected server offline and a new server containing backup files is being scanned and safely brought online. DPHHS has purchased additional security software to better protect sensitive information on existing servers, and as part of an internal investigation, DPHHS is reviewing existing policies and procedures to determine how to prevent this from happening again in the future. Will this affect the services I receive? This incident should not impact DPHHS services as none of the information contained on the server was lost and we have a complete back-up of the information. 30

32 A Simplified View of a Data Breach Discovery of a Data Breach Evaluation of the Data Breach Managing the Short Term Crisis Handling the Long Term Consequences Notification and Class Action Lawsuits Theft, loss, or Unauthorized Disclosure of PHI, PII, PCI Forensics and Legal Review Credit Monitoring Reg. Fines, Penalties, and Consumer Redress Public Relations Reputational Damage Income Loss 32

34 What Will You Encounter? Law enforcement Class actions System remediation and revalidation Reporting of impact Regaining public trust 34

35 What Will Forensic Firms Ask You 1. How did you detect the intrusion? 2. Do you have a WISP or breach response plan? 3. Describe the data that you process or store. 4. Describe the logs that you maintain. 5. Are you preserving the environment? 6. Do you have a network diagram? 7. Describe your network environment. 8. What IT resources do you have? 9. Are there critical third party vendors? 10. What have you done so far? 35

36 Who Needs to be Notified? Affected Individuals Government Agencies Attorneys General Law Enforcement Credit Reporting Agencies (CRAs) 36

GALLAGHER CYBER LIABILITY PRACTICE Tailored Solutions for Cyber Liability and Professional Liability Are you exposed to cyber risk? Like nearly every other business, you have probably capitalized on the

What would you do if your agency had a data breach? 80% of businesses fail to recover from a breach because they do not know this answer. Responding to a breach is a complicated process that requires the

Cyber Liability Michael Cavanaugh, RPLU Vice President, Director of Production Apogee Insurance Group 877-337-3200 Ext. 7029 Today s Agenda What is Cyber Liability? What are the exposures? Reality of a

PROFESSIONAL RISK PRIVACY CLAIMS SCENARIOS The following claim scenarios are hypothetical and are offered solely to illustrate the types of situations that may result in claims. Although sorted by industry,

Attachment A Identification of Risks/Cybersecurity Governance 1. For each of the following practices employed by the Firm for management of information security assets, please provide the month and year

Don t Be a Victim to Data Breach Risks Protecting Your Organization From Data Breach and Privacy Risks Thank you for joining us. We have a great many participants in today s call. Your phone is currently

T H E R E A L C O S T O F A D ATA B R E A C H Hosted by AllClear ID www.allclearid.com/business WELCOME // QUICK NOTES Presentation is being recorded and will be available within 2-3 business days at www.allclearid.com/business

The Art of Breach Management Beazley presentation master February 2008 A Brief Review of Data Breaches What is a Data Breach? Actual release or disclosure of information to an unauthorized individual/entity

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services What we are NOT doing today Providing Legal Advice o Informational Purposes

Ten Questions Your Board Should be asking about Cyber Security Eric M. Wright, Shareholder Eric Wright, CPA, CITP Started my career with Schneider Downs in 1983. Responsible for all IT audit and system

INFORMATION SECURITY & PRIVACY INSURANCE WITH BREACH RESPONSE SERVICES NOTICE: INSURING AGREEMENTS I.A., I.C. AND I.D. OF THIS POLICY PROVIDE COVERAGE ON A CLAIMS MADE AND REPORTED BASIS AND APPLY ONLY

INFORMATION SECURITY AND PRIVACY INSURANCE WITH ELECTRONIC MEDIA LIABILITY COVERAGE NOTICE: COVERAGE UNDER THIS POLICY IS PROVIDED ON A CLAIMS MADE AND REPORTED BASIS AND APPLIES ONLY TO CLAIMS FIRST MADE

Brief The BakerHostetler Data Security Incident Response Report 2015 The rate of disclosures of security incidents in 2015 continues at a pace that caused many to call 2013 and then 2014 the year of the

Cyber Risk With cyber invasions now a common place occurrence, insurance coverage isn t found in your liability policy. So many different types of computer invasions exist, but there is cyber risk insurance

Panel Title: Data Breaches: Industry and Law Enforcement Perspectives on Best Practices Over the course of this one hour presentation, panelists will cover the following subject areas, providing answers

Property NetProtect 360 SM and NetProtect Essential SM Which one is right for your client? Do your clients Use e-mail? Rely on networks, computers and electronic data to conduct business? Browse the Internet

The Matrix Reloaded: Cybersecurity and Data Protection for Employers Jodi D. Taylor Why Talk About This Now? Landscape is changing Enforcement by federal and state governments on the rise Legislation on

THE DATA BREACH: How to stay defensible before, during and after the incident. after the incident. September 22, 2015 Erica Ouellette Beazley Technology, Media & Business Services Alyson Newton, Executive

10/13/15 Cybersecurity in Education What you face as educational organizations How to Identify, Monitor and Protect Presented by Jamie Gershon Sr. Vice President Education Practice Group 1 Privacy Rights

Managing Cyber Risk through Insurance Eric Lowenstein Aon Risk Solutions This presentation has been prepared for the Actuaries Institute 2015 ASTIN and AFIR/ERM Colloquium. The Institute Council wishes

THE DIGITAL AGE THE DEFINITIVE CYBERSECURITY GUIDE FOR DIRECTORS AND OFFICERS Download the entire guide and follow the conversation at SecurityRoundtable.org Investment in cyber insurance Lockton Companies

Cyber and Data Security Proposal form This proposal form must be completed and signed by a principal, director or a partner of the proposed insured. Cover and Quotation requirements Please indicate which

Cyber Liability AlaHA Annual Meeting 2013 Disclaimer We are not providing legal advise. This Presentation is a broad overview of health care cyber loss exposures, the process in the event of loss and coverages

The Data Breach: How to stay defensible before, during and after the incident. Alex Ricardo, CIPP/US Breach Response Services What we are NOT doing today Providing Legal Advice o Informational Purposes

Data Security Breaches: Learn more about two new regulations and how to help reduce your risks By Susan Salpeter, Vice President, Zurich Healthcare Risk Management News stories about data security breaches

Fundamentals of Cyber Risk Brad Gow June 9th, 2015 Endurance But consider the kickoff chuckle to a speech given to the Wharton School in March 1977 by Sidney Homer of Salomon Brothers, the leading bond

Zurich Security And Privacy Protection Policy Application COVERAGE A. AND COVERAGE F. OF THE POLICY FOR WHICH YOU ARE APPLYING IS WRITTEN ON A CLAIMS FIRST MADE AND REPORTED BASIS. ONLY CLAIMS FIRST MADE

Need for Cyberliability Insurance Continues to Grow 14 benefits magazine may 2015 MAGAZINE Reproduced with permission from Benefits Magazine, Volume 52, No. 5, May 2015, pages 14-19, published by the International

CYBER RISK SECURITY, NETWORK & PRIVACY CYBER SECURITY, NETWORK & PRIVACY In the ever-evolving technological landscape in which we live, our lives are dominated by technology. The development and widespread